Académique Documents
Professionnel Documents
Culture Documents
© 2002,
2001, Cisco Systems, Inc. All rights reserved. 1
« But, we have IPsec for
securing IPv6 !»
• Autoconfiguration
– stateless configuration and discovery, contradicting
requirements with security
• ICMPv6 protected by IPsec
– security bootstrap problem
• DAD
– duplicate address detection mechanism
Security
A B mechanisms built
into discovery
protocol Ù None.
ICMP type = 135 Bootstrap security
Src = A problem!
Dst = Solicited-node multicast of B
Potential solution:
Data = link-layer address of A
802.1X on L2.
Query = what is your link address?
B
C
3ffe:0b00:0:4::1 3ffe:0b00:0:3::1
Next header = 43
IPv6 basic header
Routing header
Routing header
Routing header
Next Header Ext Hdr Length Routing Type Segments Left
Next header = 58
IPv6 basic header
ICMPv6 packet
ICMPv6 packet
ICMPv6 packet
ICMPv6 Type ICMPv6 Code Checksum
ICMPv6 Data
Router Advertisment
RA (RA) relay sole on
IPsec AH security…
RA packet definitions:
ICMP Type = 134
Src = Router Link-local Address
Dst = All-nodes multicast address
Data= 2 prefixes:
Current prefix (to be deprecated) with short lifetime
New prefix (to be used) with normal lifetime
IPv6 Header
Next Header TCP Header
= TCP + Data
• Processed only by node identified in IPv6 Destination Address field => much
lower overhead than IPv4 options
exception: Hop-by-Hop Options header
• Eliminated IPv4’s 40-octet limit on options
in IPv6, limit is total packet size, or Path MTU in some cases
Eric Marin © 2003, Cisco Systems, Inc. All rights reserved. 16
Filtering Extension Headers
• Reflect
A reflexive ACL is created dynamically, when traffic matches a
permit entry containing the reflect keyword.
The reflexive ACL mirrors the permit entry and times out (by
default after 3 mins), unless further traffic matches the entry (or a
FIN is detected for TCP traffic).
Reflexive ACLs can be applied to TCP, UDP, SCTP and ICMPv6.
• Evaluate
Apply the packet against a reflexive ACL.
Multiple evaluate statements are allowed per ACL.
The implicit deny any any rule does not apply at the end of a
reflexive ACL; matching continues after the evaluate in this case.
Router1#
interface ethernet-0
ipv6 address 2000::45a/64
ipv6 traffic-filter In in
ipv6 traffic-filter Out out
interface ethernet-1
2000::45a/64 ipv6 address 2001::45a/64
Next header = 44
IPv6 basic header
Fragment header
Fragment header
Fragment header
Next Header Reserved Fragment Offset
Identification
Fragment data
Mobility and
security
Not Possible in IPv4elements
of mobile IPv6
still work in
Mobile Node
progress…
3ffe:0b00:c18::1 2001:2:a010::5 (MIPv6 draft :
Return
Routability Test).
• Mobility means:
Mobile devices are fully supported while moving
Built-in on IPv6
Any node can use it
Efficient routing means performance for end-users
Eric Marin © 2003, Cisco Systems, Inc. All rights reserved. 29
Transition mechanisms security
http://www.6net.org/publications/
D6.2.2: Operational procedures for secured management with transition mechanisms
draft-savola-v6ops-6to4-security-02.txt
• Anti-spoofing ACLs
• Use of IPsec for protecting manually configured tunnels
Eric Marin © 2003, Cisco Systems, Inc. All rights reserved. 30
Conclusion
• IPTrap
Listens to ports and fakes services
Works with IPChains/Tables to Firewall clients
• AESOP
TCP Proxy
http://www.securityfocus.com/archive/119/303782/2002-12-15/2002-12-21/0
“IPv6 Security ”
Eric Marin
EMEA Senior Consulting Engineer